Add permissions checks

7 years ago · b2bf79a2f1
parent 769ea75e82
commit b2bf79a2f1
7 changed files with 63 additions and 12 deletions
--- a/action.php
+++ b/action.php
@ -26,6 +26,10 @@ function returnToSender($msg, $arg = "") {
    die();
 }
 if ($VARS['action'] != "signout" && !account_has_permission($_SESSION['username'], "INV_EDIT")) {
    returnToSender("no_edit_permission");
 }
 switch ($VARS['action']) {
    case "edititem":
        $insert = true;
--- a/app.php
+++ b/app.php
@ -1,10 +1,7 @@
 <?php
 require_once __DIR__ . "/required.php";
-if ($_SESSION['loggedin'] != true) {
+redirectIfNotLoggedIn();
    header('Location: index.php');
    die("Session expired.  Log in again to continue.");
 }
 require_once __DIR__ . "/pages.php";
--- a/index.php
+++ b/index.php
@ -4,7 +4,7 @@ require_once __DIR__ . "/required.php";
 require_once __DIR__ . "/lib/login.php";
 // if we're logged in, we don't need to be here.
-if ($_SESSION['loggedin']) {
+if ($_SESSION['loggedin'] && account_has_permission($_SESSION['username'], "INV_VIEW")) {
    header('Location: app.php');
 }
@ -34,13 +34,17 @@ if (checkLoginServer()) {
                        break;
                }
                if ($userpass_ok) {
-                    $_SESSION['passok'] = true; // stop logins using only username and authcode
+                    if (account_has_permission($VARS['username'], "INV_VIEW") == FALSE) {
-                    if (userHasTOTP($VARS['username'])) {
+                        $alert = lang("no permission", false);
                        $multiauth = true;
                    } else {
-                        doLoginUser($VARS['username'], $VARS['password']);
+                        $_SESSION['passok'] = true; // stop logins using only username and authcode
-                        header('Location: app.php');
+                        if (userHasTOTP($VARS['username'])) {
-                        die("Logged in, go to app.php");
+                            $multiauth = true;
                        } else {
                            doLoginUser($VARS['username'], $VARS['password']);
                            header('Location: app.php');
                            die("Logged in, go to app.php");
                        }
                    }
                }
            } else {
--- a/lang/en_us.php
+++ b/lang/en_us.php
@ -15,6 +15,7 @@ define("STRINGS", [
    "account terminated" => "Account terminated.  Access denied.",
    "account state error" => "Your account state is not stable.  Log out, restart your browser, and try again.",
    "welcome user" => "Welcome, {user}!",
    "no permission" => "You do not have permission to access this system.",
    "sign out" => "Sign out",
    "settings" => "Settings",
    "options" => "Options",
@ -24,6 +25,7 @@ define("STRINGS", [
    "login server error" => "The login server returned an error: {arg}",
    "login server user data error" => "The login server refused to provide account information.  Try again or contact technical support.",
    "captcha error" => "There was a problem with the CAPTCHA (robot test).  Try again.",
    "no edit permission" => "You do not have permission to modify records.",
    "home" => "Home",
    "invalid itemid" => "The item ID is invalid.",
    "invalid category" => "The category is invalid.",
--- a/lang/messages.php
+++ b/lang/messages.php
@ -13,6 +13,10 @@ define("MESSAGES", [
        "string" => "page not found",
        "type" => "info"
    ],
    "no_edit_permission" => [
        "string" => "no edit permission",
        "type" => "danger"
    ],
    "invalid_itemid" => [
        "string" => "invalid itemid",
        "type" => "danger"
--- a/lib/login.php
+++ b/lib/login.php
@ -157,6 +157,37 @@ function get_account_status($username) {
    }
 }
 /**
 * Check if the given username has the given permission (or admin access)
 * @param string $username
 * @param string $permcode
 * @return boolean TRUE if the user has the permission (or admin access), else FALSE
 */
 function account_has_permission($username, $permcode) {
    $client = new GuzzleHttp\Client();
    $response = $client
            ->request('POST', PORTAL_API, [
        'form_params' => [
            'key' => PORTAL_KEY,
            'action' => "permission",
            'username' => $username,
            'code' => $permcode
        ]
    ]);
    if ($response->getStatusCode() > 299) {
        sendError("Login server error: " . $response->getBody());
    }
    $resp = json_decode($response->getBody(), TRUE);
    if ($resp['status'] == "OK") {
        return $resp['has_permission'];
    } else {
        return false;
    }
 }
 ////////////////////////////////////////////////////////////////////////////////
 //                              Login handling                                //
 ////////////////////////////////////////////////////////////////////////////////
--- a/required.php
+++ b/required.php
@ -133,6 +133,10 @@ function dieifnotloggedin() {
        sendError("Session expired.  Please log out and log in again.");
        die();
    }
    require_once __DIR__ . "/lib/login.php";
    if (account_has_permission($_SESSION['username'], "INV_VIEW") == FALSE) {
        die("You don't have permission to be here.");
    }
 }
 /**
@ -186,7 +190,12 @@ if (!function_exists('base_url')) {
 function redirectIfNotLoggedIn() {
    if ($_SESSION['loggedin'] !== TRUE) {
-        header('Location: ' . URL . '/index.php');
+        header('Location: ./index.php');
        die();
    }
    require_once __DIR__ . "/lib/login.php";
    if (account_has_permission($_SESSION['username'], "INV_VIEW") == FALSE) {
        header('Location: ./index.php');
        die("You don't have permission to be here.");
    }
 }